Mac Malware with Developer ID

Monday, May 20, 2013 @ 01:05 PM gHale


A new piece of Apple OS X malware is now floating around.

Uncovered at the annual Oslo Freedom Conference, where activists meet to share tips on advancing human rights, security researcher Jacob Applebaum discovered the code on a laptop owned by an Angolan human rights campaigner.

RELATED STORIES
Apple Security Fixes in OS X
Apple Mends App Store Holes
One More iPhone Bug Found
Developer Site Zero Day Attack Source

Found during a workshop covering how to secure your hardware against government intrusion, the malware was stealing screenshots from the infected system and uploading them to two command and control servers.

The malware is a hidden program called macs.app which installs itself among the computer’s log-in items so it fires up once the machine boots up. The malware did get a sign off from a legitimate Apple developer ID, enabling it to get past the Gatekeeper security software.

Once activated, the software takes a regular series of screenshots from the infected computer and sends them off to two servers – one of which is inactive and the other is private. Since the initial discovery, researchers found a second sample of the malware on another system, but no one thinks this is a large-scale attack.

“The Angolan activist was pwned via a spear phishing attack – I have the original emails, the original payload and an updated payload,” Applebaum said. He also said Apple revoked the developer ID used by the code.

Removing the malware is relatively simple. F-Secure already has a signature file for it included in its security software, and users can delete it themselves by removing the macs.app application from the log-in queue and applications folder.

The use of a developer ID is unusual in the world of malware for OS X, and this fact, along with its highly targeted distribution method, suggests it’s a custom job done specifically for spying on specific individuals.



One Response to “Mac Malware with Developer ID”

  1. […] Mac Malware with Developer ID – A new piece of Apple OS X malware has been found which takes screenshots of the machine and uploads them to  command and control servers. Since the app has “a sign off from a legitimate Apple developer ID,” it got past Apple’s defenses. Removal is relatively simple and F-Secure has the signature in their software. Via ISS Source, more here. […]


Leave a Reply

You must be logged in to post a comment.